[pacman-dev] [PATCH 2/2] doc, makepkg.conf: Deprecate md5sums, show examples using sha256sums.

Thu Feb 23 21:31:17 UTC 2017

---
 doc/PKGBUILD-example.txt   |  4 ++--
 doc/PKGBUILD.5.txt         | 31 +++++++++++++++++++------------
 doc/makepkg-template.1.txt |  2 +-
 etc/makepkg.conf.in        |  2 +-
 4 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/doc/PKGBUILD-example.txt b/doc/PKGBUILD-example.txt
index 910fd068..d4e1c9c1 100644
--- a/doc/PKGBUILD-example.txt
+++ b/doc/PKGBUILD-example.txt
@@ -12,8 +12,8 @@ depends=('glibc')
 makedepends=('ed')
 optdepends=('ed: for "patch -e" functionality')
 source=("ftp://ftp.gnu.org/gnu/$pkgname/$pkgname-$pkgver.tar.xz"{,.sig})
-md5sums=('e9ae5393426d3ad783a300a338c09b72'
-         'SKIP')
+sha256sums=('9124ba46db0abd873d0995c2ca880e81252676bb6c03e0a37dfc5f608a9b0ceb'
+            'SKIP')
 
 build() {
 	cd "$srcdir/$pkgname-$pkgver"
diff --git a/doc/PKGBUILD.5.txt b/doc/PKGBUILD.5.txt
index 18bc2a19..edf469fe 100644
--- a/doc/PKGBUILD.5.txt
+++ b/doc/PKGBUILD.5.txt
@@ -118,7 +118,7 @@ systems (see below).
 +
 Additional architecture-specific sources can be added by appending an
 underscore and the architecture name e.g., 'source_x86_64=()'. There must be a
-corresponding integrity array with checksums, e.g. 'md5sums_x86_64=()'.
+corresponding integrity array with checksums, e.g. 'sha256sums_x86_64=()'.
 +
 It is also possible to change the name of the downloaded file, which is helpful
 with weird URLs and for handling multiple source files with the same
@@ -146,19 +146,26 @@ contain whitespace characters.
 	listed here will not be extracted with the rest of the source files. This
 	is useful for packages that use compressed data directly.
 
-*md5sums (array)*::
-	This array contains an MD5 hash for every source file specified in the
-	source array (in the same order). makepkg will use this to verify source
-	file integrity during subsequent builds. If 'SKIP' is put in the array
-	in place of a normal hash, the integrity check for that source file will
-	be skipped. To easily generate md5sums, run ``makepkg -g >> PKGBUILD''.
-	If desired, move the md5sums line to an appropriate location.
+*sha256sums (array)*::
+	This array contains a SHA256 hash for every source file specified in the
+	source array (in the same order).  makepkg will use this to verify
+	source file integrity during subsequent builds.  If 'SKIP' is put in the
+	array in place of a normal hash, the integrity check for that source
+	file will be skipped.  To easily generate sha256sums, run ``makepkg -g
+	>> PKGBUILD''.  If desired, move the sha256sums to an appropriate
+	location.
 
-*sha1sums, sha256sums, sha384sums, sha512sums (arrays)*::
+*sha384sums, sha512sums (arrays)*::
 	Alternative integrity checks that makepkg supports; these all behave
-	similar to the md5sums option described above. To enable use and generation
-	of these checksums, be sure to set up the `INTEGRITY_CHECK` option in
-	linkman:makepkg.conf[5].
+	similar to the sha256sums option described above. To enable use and
+	generation of these checksums, be sure to set up the `INTEGRITY_CHECK`
+	option in linkman:makepkg.conf[5].
+
+*md5sums, sha1sums (arrays)*::
+	Alternative legacy integrity checks that makepkg supports.  These are
+	supported for compatibility, but should not be used in current PKGBUILD
+	files due to known collision attacks on the algorithms, allowing
+	malicious files to pose as legitimate ones.
 
 *groups (array)*::
 	An array of symbolic names that represent groups of packages, allowing
diff --git a/doc/makepkg-template.1.txt b/doc/makepkg-template.1.txt
index 99637d43..53cb4997 100644
--- a/doc/makepkg-template.1.txt
+++ b/doc/makepkg-template.1.txt
@@ -88,7 +88,7 @@ Example PKGBUILD
 	license=('PerlArtistic' 'GPL')
 	depends=('perl')
 	source=("http://search.cpan.org/CPAN/authors/id/S/SH/SHERZODR/Config-Simple-${pkgver}.tar.gz")
-	md5sums=('f014aec54f0a1e2e880d317180fce502')
+	sha256sums=('dd9995706f0f9384a15ccffe116c3b6e22f42ba2e58d8f24ed03c4a0e386edb4')
 	_distname="Config-Simple"
 
 	# template start; name=perl-module; version=1.0;
diff --git a/etc/makepkg.conf.in b/etc/makepkg.conf.in
index 71293970..24b83d18 100644
--- a/etc/makepkg.conf.in
+++ b/etc/makepkg.conf.in
@@ -86,7 +86,7 @@ BUILDENV=(!distcc color !ccache check !sign)
 OPTIONS=(strip docs libtool staticlibs emptydirs zipman purge !debug)
 
 #-- File integrity checks to use. Valid: md5, sha1, sha256, sha384, sha512
-INTEGRITY_CHECK=(md5)
+INTEGRITY_CHECK=(sha256)
 #-- Options to be used when stripping binaries. See `man strip' for details.
 STRIP_BINARIES="@STRIP_BINARIES@"
 #-- Options to be used when stripping shared libraries. See `man strip' for details.
-- 
2.11.1
